{"id":145899,"date":"2015-11-12T12:50:27","date_gmt":"2015-11-12T10:50:27","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=145899"},"modified":"2015-11-12T12:51:42","modified_gmt":"2015-11-12T10:51:42","slug":"linux-encryption-ransomware-hacked-how-to-get-your-files-back","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/145899-linux-encryption-ransomware-hacked-how-to-get-your-files-back.html","title":{"rendered":"Linux encryption ransomware hacked \u2013\u00a0how to get your files back"},"content":{"rendered":"<p>The ransomware trojan <strong><a href=\"http:\/\/mybroadband.co.za\/news\/security\/145543-new-encryption-ransomware-targets-linux-servers.html\">Linux.Encoder.1<\/a><\/strong> has been defeated, thanks to a critical flaw in the way it encrypts files.<\/p>\n<p>Bitdefender Labs said it found a way to recover the AES key the malware uses to encrypt the files on the Linux servers it targets.<\/p>\n<p>It said the AES key is generated on the victim\u2019s computer, and after reverse-engineering how the key and initialisation vector are generated, researchers discovered a design flaw.<\/p>\n<p>The Linux.Enocder.1 sample derived the key and initialisation vector using the <code>rand()<\/code> function from the standard C library, seeded with the current system timestamp at the moment of encryption.<\/p>\n<p>This information can be retrieved by looking at the file\u2019s timestamp.<\/p>\n<p>It released the following guide on how to get your data back.<\/p>\n<h3 class=\"my-4\">Recovering your server from a Linux.Encoder.1 infection<\/h3>\n<ul>\n<li><strong><a href=\"http:\/\/labs.bitdefender.com\/wp-content\/plugins\/download-monitor\/download.php?id=Decrypter_0-1.3.zip\">Download the script<\/a><\/strong> from the Bitdefender Labs repository.<\/li>\n<\/ul>\n<p>The chances are that the encryption has affected system files, and you might need to boot from a live CD or mount the affected partition on a different machine.<\/p>\n<ul>\n<li>Mount the encrypted partition using the <code>mount \/dev\/[encrypted_partition]<\/code><\/li>\n<li>Generate a list of encrypted files by issuing the following command: <code>\/mnt# sort_files.sh encrypted_partition &gt; sorted_list<\/code><\/li>\n<li>Issue a head command to get the first file: <code>\/mnt# head \u20131 sorted_list<\/code><\/li>\n<li>Run the decryption utility to get the encryption seed: <code>\/mnt# python decrypter.py \u2013f [first_file]<\/code><\/li>\n<li>Decrypt everything using the displayed seed: <code>\/mnt# python \/tmp\/new\/decrypter.py -s [timestamp] -l sorted_list<\/code><\/li>\n<\/ul>\n<h3 class=\"my-4\">Some machines double-infected<\/h3>\n<p>Bitdefender said it received complaints that its recovery tool was not working for everyone.<\/p>\n<p>It found that some machines were infected with Linux.Encoder.1 more than once, suggesting that the trojan was executed multiple times.<\/p>\n<p>This means that some files were encrypted using a key, and others using another set of keys. In doing so, a race condition is created that destroys some files.<\/p>\n<p>It updated its tool to take this evolution of the ransomware into account, and released a new version of the script for download on its website.<\/p>\n<h3 id=\"related\">More security news<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/145543-new-encryption-ransomware-targets-linux-servers.html\"><strong>New encryption ransomware targets Linux servers<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/internet\/144847-your-online-porn-history-with-your-name-leaked-online-experts-comment.html\"><strong>Your online porn history with your name leaked online: experts comment<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/145681-fingerprints-should-never-be-used-as-passwords.html\"><strong>Fingerprints should never be used as passwords<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/144967-new-android-adware-is-almost-impossible-to-get-rid-of.html\"><strong>New Android adware is almost impossible to get rid of<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bitdefender has found a critical flaw in the Linux.Encoder.1 ransomware, and has released a tool to decrypt the files it is holding to ransom.<\/p>\n","protected":false},"author":23,"featured_media":145545,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[36,22485,10486,1799],"class_list":["post-145899","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-active","tag-bitdefender","tag-dr-web","tag-linux"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/145899"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=145899"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/145899\/revisions"}],"predecessor-version":[{"id":145915,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/145899\/revisions\/145915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/145545"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=145899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=145899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=145899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}